Every CVE whose affected-product data names Elastic Elasticsearch, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2015-5377 — CVSS 9.8 (critical): Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol…
CVE-2020-7009 — CVSS 8.8 (high): Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create…
CVE-2018-3831 — CVSS 8.8 (high): Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured…
CVE-2020-7014 — CVSS 8.8 (high): The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege…
CVE-2019-7611 — CVSS 8.1 (high): A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are…
CVE-2021-22146 — CVSS 7.5 (high): All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the…
CVE-2022-23712 — CVSS 7.5 (high): A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an…
CVE-2023-31418 — CVSS 7.5 (high): An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an…
CVE-2025-37731 — CVSS 6.8 (medium): Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious…
CVE-2021-22144 — CVSS 6.5 (medium): In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack…
CVE-2018-17244 — CVSS 6.5 (medium): Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active…
CVE-2018-3826 — CVSS 6.5 (medium): In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key…
CVE-2020-7019 — CVSS 6.5 (medium): In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a…
CVE-2021-22145 — CVSS 6.5 (medium): A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit…
CVE-2021-22147 — CVSS 6.5 (medium): Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated…
CVE-2023-31419 — CVSS 6.5 (medium): A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow…
CVE-2023-46673 — CVSS 6.5 (medium): It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when…
CVE-2024-12539 — CVSS 6.5 (medium): An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent…
CVE-2024-23445 — CVSS 6.5 (medium): It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-clu…
CVE-2024-43709 — CVSS 6.5 (medium): An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via…
CVE-2024-52979 — CVSS 6.5 (medium): Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead…
CVE-2024-52980 — CVSS 6.5 (medium): A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class…
CVE-2025-68384 — CVSS 6.5 (medium): Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause…
CVE-2026-49090 — CVSS 6.5 (medium): Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An…
CVE-2026-56148 — CVSS 6.5 (medium): Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated…
CVE-2023-46674 — CVSS 6.0 (medium): An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could…
CVE-2019-7614 — CVSS 5.9 (medium): A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system…
CVE-2018-17247 — CVSS 5.9 (medium): Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing…
CVE-2021-37937 — CVSS 5.9 (medium): An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account…
CVE-2025-37727 — CVSS 5.7 (medium): Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when…
CVE-2019-7619 — CVSS 5.3 (medium): Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated…
CVE-2021-22135 — CVSS 5.3 (medium): Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API…
CVE-2021-22137 — CVSS 5.3 (medium): In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used…
CVE-2023-49921 — CVSS 5.2 (medium): An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw…
CVE-2020-7021 — CVSS 4.9 (medium): Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is…
CVE-2026-56149 — CVSS 4.9 (medium): Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation…
CVE-2025-68390 — CVSS 4.9 (medium): Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore…
CVE-2024-52981 — CVSS 4.9 (medium): An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection…
CVE-2024-23444 — CVSS 4.9 (medium): It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new…
CVE-2024-23450 — CVSS 4.9 (medium): A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the…
CVE-2024-37280 — CVSS 4.9 (medium): A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of…
CVE-2021-22132 — CVSS 4.8 (medium): Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search…
CVE-2024-23451 — CVSS 4.4 (medium): Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in…
CVE-2021-22134 — CVSS 4.3 (medium): A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used…
CVE-2022-23708 — CVSS 4.3 (medium): A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built…
CVE-2024-23449 — CVSS 4.3 (medium): An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the…
CVE-2023-31417 — CVSS 4.1 (medium): Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering…
CVE-2020-7020 — CVSS 3.1 (low): Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search…